Minting and Use of Digital Money

ABSTRACT

Systems and methods are provided for constructing a digital money from concatenated or otherwise linked bit strings. Several applications of digital coins include (i) means to secure the use of money according to the prevailing understanding between payer and payee, (ii) a method by which a mint entity that mints and redeems digital money collaborates with traders to jointly earn interest, or jointly gamble in the stock market, or other markets, (iii) a method by which a mint entity that mints and redeems digital money collaborates with merchants, their customers, and credit-extending entities (CEE) to allow the CEE to extend credit to selected group of customers, so that these customers can shop with any participating merchant, and (iv) a method for utility consumption on a real-time basis by splitting digital coins at a rate that pays exactly for the utility measure being consumed.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional PatentApplication No. 61/627,977 filed Oct. 22, 2011 and U.S. ProvisionalPatent Application No. 61/688,788 filed May 22, 2012, which areincorporated by reference in their entireties.

INTRODUCTION

Digital money is embodied in the form of ordered bits, namely a stringof binary digits. The string itself expresses the transactional valuethat makes this string into ‘money’, or money equivalent. The string—thebit sequence of ones and zeros—per se carries the value, without regardto the particular media in which the bits are written. Beingmedia-unattached is the characteristics of digital money. Severalmethods have been proposed for creating digital money. The inventiondescribed herein describes a method for minting digital money andvarious usecases which relate to digital money regardless of the methodused in expressing the bit string—the transactional value string. Inorder to make the best use of this new abstract form of money it isnecessary to develop practical, secure and robust applications in thefollowing categories: (i) Anonymity and Security Management, (ii) TheCustomer Loyalty, and Reward Points market, (iii) Continuous Payment,and (iv) Virtual Banking, Investment and Risk Management, (v) GlobalMoney Transfer, and (vi) Small and Physical Cash Transfer, and (vii)Government Support Services. The challenge to develop fittingapplications for the above specified use categories, is the verychallenge addressed by this application.

One application regards the credit market in which a lender (a creditextender) extends credit to a borrower (a credit consumer) prior to theborrower use of this credit, and in such way that interest on the credit(the loan) accrues not from the moment the credit is extended, but fromthe moment the credit is actually used, and exercised by the borrower.Unlike regular loans, such credit-on-demand, has been the prerogative ofbanks, mainly through the global credit networks, like Visa and MasterCard, which are universally accepted. The same service can be offered bynon-banks using the invention described herein. A second applicationregarding interest bearing accounts, which can be used while, at thesame time, working with the money that earns the interest. A thirdapplication regards betting on risky assets, which may rise or fall invalue.

DESCRIPTION OF THE INVENTION

While the present teachings of this invention are described inconjunction with various embodiments, it is not intended that thepresent teachings be limited to such embodiments. On the contrary, thepresent teachings of this invention encompass various alternatives,modifications, and equivalents, as will be appreciated by those of skillin the art.

Further, in describing various embodiments, the specification may havepresented a method and/or process as a particular sequence of steps.However, to the extent that the method or process does not rely on theparticular order of steps set forth herein, the method or process shouldnot be limited to the particular sequence of steps described. As one ofordinary skill in the art would appreciate, other sequences of steps maybe possible. Therefore, the particular order of the steps set forth inthe specification should not be construed as limitations on the claims.In addition, the claims directed to the method and/or process should notbe limited to the performance of their steps in the order written, andone skilled in the art can readily appreciate that the sequences may bevaried and still remain within the spirit and scope of the variousembodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

The skilled artisan will understand that the drawings, described below,are for illustration purposes only. The drawings are not intended tolimit the scope of the present teachings in any way.

FIG. 1 is a block diagram that illustrates a computer system, upon whichembodiments of the present teachings may be implemented.

FIG. 2 depicts the consumer credit, today and tomorrow, in accordancewith various embodiments.

FIG. 3 depicts the structure of Dual String Option digital coin, inaccordance with various embodiments.

DETAILED DESCRIPTION OF THE INVENTION Computer-Implemented System

FIG. 1 is a block diagram that illustrates a computer system 100, uponwhich embodiments of the present teachings may be implemented. Computersystem 100 includes a bus 102 or other communication mechanism forcommunicating information, and a processor 104 coupled with bus 102 forprocessing information. Computer system 100 also includes a memory 106,which can be a random access memory (RAM) or other dynamic storagedevice, coupled to bus 102 for storing instructions to be executed byprocessor 104. Memory 106 also may be used for storing temporaryvariables or other intermediate information during execution ofinstructions to be executed by processor 104. Computer system 100further includes a read only memory (ROM) 108 or other static storagedevice coupled to bus 102 for storing static information andinstructions for processor 104. A storage device 110, such as a magneticdisk or optical disk, is provided and coupled to bus 102 for storinginformation and instructions.

Computer system 100 may be coupled via bus 102 to a display 112, such asa cathode ray tube (CRT) or liquid crystal display (LCD), for displayinginformation to a computer user. An input device 114, includingalphanumeric and other keys, is coupled to bus 102 for communicatinginformation and command selections to processor 104. Another type ofuser input device is cursor control 116, such as a mouse, a trackball orcursor direction keys for communicating direction information andcommand selections to processor 104 and for controlling cursor movementon display 112. This input device typically has two degrees of freedomin two axes, a first axis (i.e., x) and a second axis (i.e., y), thatallows the device to specify positions in a plane.

A computer system 100 can perform the present teachings. Consistent withcertain implementations of the present teachings, results are providedby computer system 100 in response to processor 104 executing one ormore sequences of one or more instructions contained in memory 106. Suchinstructions may be read into memory 106 from another computer-readablemedium, such as storage device 110. Execution of the sequences ofinstructions contained in memory 106 causes processor 104 to perform theprocess described herein. Alternatively hard-wired circuitry may be usedin place of or in combination with software instructions to implementthe present teachings. Thus implementations of the present teachings arenot limited to any specific combination of hardware circuitry andsoftware.

The term “computer-readable medium” as used herein refers to any mediathat participates in providing instructions to processor 104 forexecution. Such a medium may take many forms, including but not limitedto, non-volatile media, volatile media, and transmission media.Non-volatile media includes, for example, optical or magnetic disks,such as storage device 110. Volatile media includes dynamic memory, suchas memory 106. Transmission media includes coaxial cables, copper wire,and fiber optics, including the wires that comprise bus 102.

Common forms of computer-readable media include, for example, a floppydisk, a flexible disk, hard disk, magnetic tape, or any other magneticmedium, a CD-ROM, digital video disc (DVD), a Blu-ray Disc, any otheroptical medium, a thumb drive, a memory card, a RAM, PROM, and EPROM, aFLASH-EPROM, any other memory chip or cartridge, or any other tangiblemedium from which a computer can read.

Various forms of computer readable media may be involved in carrying oneor more sequences of one or more instructions to processor 104 forexecution. For example, the instructions may initially be carried on themagnetic disk of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 100 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detectorcoupled to bus 102 can receive the data carried in the infra-red signaland place the data on bus 102. Bus 102 carries the data to memory 106,from which processor 104 retrieves and executes the instructions. Theinstructions received by memory 106 may optionally be stored on storagedevice 110 either before or after execution by processor 104.

In accordance with various embodiments, instructions configured to beexecuted by a processor to perform a method are stored on acomputer-readable medium. The computer-readable medium can be a devicethat stores digital information. For example, a computer-readable mediumincludes a compact disc read-only memory (CD-ROM) as is known in the artfor storing software. The computer-readable medium is accessed by aprocessor suitable for executing instructions configured to be executed.

The following descriptions of various implementations of the presentteachings have been presented for purposes of illustration anddescription. It is not exhaustive and does not limit the presentteachings to the precise form disclosed. Modifications and variationsare possible in light of the above teachings or may be acquired frompracticing of the present teachings. Additionally, the describedimplementation includes software but the present teachings may beimplemented as a combination of hardware and software or in hardwarealone. The present teachings may be implemented with bothobject-oriented and non-object-oriented programming systems.

Systems and Methods of Data Processing

Before one or more embodiments of the invention are described in detail,one skilled in the art will appreciate that the invention is not limitedin its application to the details of construction, the arrangements ofcomponents, and the arrangement of steps set forth in the followingdetailed description. The invention is capable of other embodiments andof being practiced or being carried out in various ways. Also, it is tobe understood that the phraseology and terminology used herein is forthe purpose of description and should not be regarded as limiting.

Use Environment for Digital Money The Payment Environment:

We define an environment comprised of a mint—an entity that issues,mints, digital money, and of traders—individuals or organizations whotrade with the minted money. The mint will also serve as a coinredeeming authority, (CRA). The minted digital money will beinterchangeably referred to as digital coins, or digital bills, ordigital money, or simply coins and bills.

Lifecycle of a Coin:

A digital coin is born, created when the mint mints, constructs it. Itis then passed to a trader, who may pass it to another trader. The coinwill pass between traders until one trader redeems it—namely, returns itto the mint against its value in some other expression.

Meta-Data:

We offer a design in which the bit string that represents thetransactional value, namely: the value string, is associated (linked,connected, or concatenated) with another string that represents metadata. That meta-data is comprised of (1) identification parameters, (2)terms of payment parameters, (3) security parameters, and (4) specialcase parameters. The essence of this invention is the idea that thedistinct and advantageous use of digital money is based on setting themeta data to support a variety of applications. In many cases thisinherent link between the value part of the coin (the value string), andthe meta-data part of the coin, enables applications which are not soconveniently, or not at all possible with more traditional forms ofmoney. We shall use the names: Alice, Bob, Carla, David, etc. todescribe nominal traders using the digital money, and use the name Eveto designate an eavesdropper, and Harry to designate a “hacker”—a personaiming to violate the good order of digital transactions. The generalpayment dynamics is as follows: Alice is getting a digital coin from themint, usually against payment in another form of money, but in certaincircumstances against a promise to pay, or by some other arrangement.Alice passes the coin or part of it to Bob for some consideration, Bobpasses to Carla, Carla to David, etc., and David redeems the coin at themint, usually against a corresponding amount of money paid in some form,but also against other considerations.

Tethered Money:

Digital coins linked with meta-data that includes terms of payment,which in turn infringe upon the universality of nominal money will bereferred to as tethered money. The use of tethered money will insurethat digital money is spent in accordance with the terms agreed betweenpayer and payee, the method comprising a linkage between the bit-stringthat represents the value of the money (value string), and thecorresponding bit string that represents meta-data for the value string,the meta-data being comprised of (i) identification parameters,including identification of the person or entity, or group of peoplethat have the exclusive right to redeem the coin. (ii) terms of paymentparameters, including, but not limited to expiration date, redemptionvalidity date, product or service, specific or type that must bepurchased by that coin, and any other logical term. (iii) Securityparameters.

The property of being tethered implies that the money referred to by theterms of payment cannot be used as freely as regular money, but ratherin a more limited way, as specified by the terms of payments. Othertradable forms of money cannot be intrinsically tethered to use purpose.Digital money where the value string can be inherently linked to termsof payment allows the link to be permanently recorded in a mintdatabase, and allows for standard cryptographic means to safeguard thetethering. Tethered money is applicable in any case where the transactedmoney is not transferred against a full and equivalent present value inreturn. In any case where the money flows against a promise or intent touse it in a certain way, even if this intent is specified in a validcontract—it is possible to recruit cryptography to tether the money tothe declared purpose articulated by the payer so that by its veryminting its use will be restricted. Tethered money applies to charity,unemployment pay, student loan, and international help to the needy. Itmay also be used to implement modern version of travelers' checks: moneytethered to a declared owner, who is the only person who can redeem thatcoin. The mint will satisfy itself that it talks to the right person,using standard cryptographic tools.

For example, the terms of payment will specify a named entity,(individual or organization), identified by unique attributes, such thatonly that named entity will be allowed to redeem the digital money (tobe paid in nominal currency for its face value), and such that allothers will denied the option to redeem the digital coin,

Anonymity and Security Management:

The meta data may be used to limit coin redemption rights to tradersthat belong to a group, set. This allows for partial anonymity: the mintknows that the redeemer belongs to the designated group, but does notknow the specific identity of the redeemer. Players: (i) the mint, (ii)Alice—a trader requesting a group-privileged coin from the mint, (iii)Bob, a trader submitting a group-privileged coin for redemption, (iv)the group administrator. Issuance Procedure: (a) Alice submits agroup-id, (A), requests the mint to issue her a group-privileged coin;(b) the mint returns a random number, (R); (c) Alice provides A and R,(A+R), to the group administrator to sign with an agreed upon privatekey: S_(a)=(A+R)_(signed). (d) Alice passes S to the mint, (e) the mintverifies the identity of A+R by decrypting S_(a) with the public key ofthe group administrator, and then issues the group-privileged coin toAlice. The meta-data on the coin designates it as group-privileged coin.The group privileged coin may be a discounted coin, where the group paysthe difference, or it may be a ‘free coin’ where the group has abackdoor arrangement with the mint to pay for the group-privilegedissued coin. Redemption Procedure: (f) Bob submits to the mint a groupprivileged coin along with his group-id, B (g) the mint return a randomnumber, R; (h) Bob submits (B+R) to the group administrator, (i) thegroup administrator signs (B+R) with its private key:S_(b)=(B±R)_(signed), (j) Bob submits Sb to the mint, (k) the mintverifies (B+R) by decrypting S_(b) with the group public key, (l) themint then redeems the coin to Bob. In other words, the mint in itscapacity as the coin redeeming authority, when facing a member of thegroup specified in the meta data as allowed to redeem the digital coin,(coin claimant) who identifies itself by name, ‘name’, to the coinredeeming authority (CRA), then it returns a random number, ‘random’ tothe coin-claimant, which the claimant submits along with his name to anadministrative authority of the group named in the meta-data of thecoin, and which said administrative authority signs with its privatekey, producing a signed signature of ‘name’+‘random’, such that the coinclaimant then submits the signed ‘name’ plus ‘random’ to the CRA, whichthe CRA then decrypts with the public key of the group administrativeauthority in order to authenticate the coin claimant as a bona fidemember of the group specified in the meta data of the digital coin, andso concluding, the CRA redeems the coin in favor of the coin claimant.

Customer Loyalty and Inducement Procedures:

These are procedures whereby a party which is interested in influencingthe behavior of others would do so by offering others the benefit ofredeemable digital money. Usually it is a merchant who will offercustomers or prospective customers, some digital coins that areassociated with some limiting redemption options. (Ahead whenever theterm ‘customers’ is used, it would include also ‘prospective customers).These limitations will guide the customer or prospective customer tobehave in a way advantageous to the merchant. These limitations will bespecified in the meta-data, and will limit the redemption of the coin.The redemption limitation data is expressed in the meta-data such thatthe mint's computer can faithfully interpret this limitation data. Ingeneral the mint computer will read meta-data parameters, refer topointed-to data elsewhere and to algorithms stored elsewhere, and thencompute a decision whether the redemption should be approved or not.Common limitation may be (i) validity period—before which and afterwhich the coin cannot be redeemed, (ii) what the redeemer sold againstthe coin submitted for redemption, and (iii) the identity, orgroup-identity of the redeemer. The meta-data could be written by themint, or by the merchant that initiates the loyalty program. The mint inthis case is also called ‘the core mint’, and the merchant, if hemodifies the meta-data, is also referred to as ‘front mint’ or‘foremint.’ The merchant will design and set up the terms under whichhis customers, or prospective customers will receive the restrictedmoney (loyalty money). It may be in lieu of discount from a listedprice, or it may be in the form of a discount coupon used to lurecustomers, it may be restricted to the merchant's store, or it may berestricted to several stores who form a coalition coupon. The merchantwho orders the loyalty money may (i) pay for them to the mint up front,or, (ii) he may pay for them when they are redeemed at another storewith which the merchant forms a coalition discount, or (iii) themerchant may not pay for the digital coin at all, except a certainservice fee. Option (i) above works with the loyalty coins treated asnormal money. The merchant pays for them to the mint up front, and whenthe customers hand them over to the merchant according to the terms ofredemption, the merchant presents the coin to the mint to verifyvalidity and the mint pays the merchant back (minus some servicecommission). The arrangement between the mint and the merchant may bethat the merchant pays only a portion of the nominal value of the coin,and he gets back the same portion upon submitting it for redemption.This is useful for a coalition setup in which several merchants bandtogether to offer loyalty coins that are good with each of the coalitionmerchants. Option (ii) above refers to a coalition setup. A merchantwill distribute loyalty money, for which he pays the nominal value orless, so that if his customer redeems the loyalty money with anothermerchant of the coalition then the merchant pays the mint, and the mintpays the coalition merchant. The third option above, (iii): The merchantwill order from the core mint a certain number of loyalty coins totaling$X. The merchant is not paying the $X to the mint, but the mint will notredeem the coins either. Those coins will be distributed by themerchants to his customers or prospective customers under the merchant'sterms, and when the customers bring them back to the merchant to paywith them, then the merchant passes these coins to the mint. The mintverifies that the submitted coins were in fact minted by it, and werenever redeemed, and conveys this verification to the merchant, who thenaccepts these coins as money. As indicated the mint does get paid anddoes not pay for these coins, they are therefore called “dummy coins”.The mint charges a service fee from the merchant. The merchant is payingfor coin management: insuring that customers don't use a loyalty cointwice, or don't mint loyalty money themselves. Dummy coins have theadvantage that a merchant can issue an abundance of them, and if only afraction of them is used, it's OK, no money loss.

Continuous Payment:

Continuous payment is payment that happens continuously with the passageof time, paying, say US$0.1/second, or payment that happens for everyoccurrence of a chain of events. Some formations of digital money do notlend themselves towards continuous payment, but others do. Two importantcategories for continuous payments are: (a) online services, and (b)embedded services. In an online service a user may hook a digitalmoney-loaded USB stick to his machine, and dedicated software willadjust the value string of the coin to reflect the diminishing value ofthe coin over time, or over cost-counting events. This continuous modemay be used for paying for media per time of reading/viewing/listening,pay per advice and counseling, pay per maintenance and support. Embeddedapplication happens when a digital money loaded device is hooked into acar, or a meter of some kind, where the value string adjusts itselfaccording to time past (say in parking), or per cost-marking events. Thepaid for service may be unique (like a personal legal advice), or it maybe public, or broadcasted, like a movie, or a library. The paid rate maybe flat, or it may be governed by a complex algorithm, and contingentupon the balance between supply and demand. The advantage of this ‘payas you go’ mode is that it works for micropayments, and that it voidsthe need for after-service invoicing, and bill collection. Travelingteachers or experts will use a device, which may be a small computer, ora phone, into which they will stick their customer's digital moneystick, or device (USB or otherwise), and while they are teaching themoney will flow from the stick to the device. At the end of the lessonthe USB stick is disengaged, and the digital money correspondent to thepayment shows up as a digital coin in the teacher's, or service providercomputer. Continuous payment may be used to fine tune car insurancepremium. Today's automobiles are so computerized that they anywayaccumulate driving data in real-time mode. That data can feed analgorithm that would determine payment to be siphoned away from a USBstick, and sent as payment to the insurance company. Safe drivers whodrive in non-accidents prone neighborhoods, and drive less will payless.

Banking Services:

Digital money may change the paradigm of banking in the following sense:today banks serve several functions: (1) they sell credit, (2) they sellinterest, (3) they sell money custody and security services, (4) theyfacilitate money movements, and (4) they originate virtual currency inthe form of banknotes and other tradable instruments. Digital money isminted by the mint (taking care of function (4) above, and the money issafely stored by its owner, since digital money is bit-stored, subjectto encryption, and may be cryptographically fused with terms of paymentsthat insure that only the registered owner of each coin can redeem it.So a thief will not benefit from stealing it. Encryption between payerand payee will also insure that the transfer of money is secure. Thistakes care of functions (2) and (3) that banks fulfill today. Thisleaves banks with only the functions of selling credit and sellinginterest. Albeit, stripped off the other functions of today's banking,they will stand in competition with a large variety of entities thatwill also offer credit and interest for sale. Digital money invitespartnership between the mint and its traders. Together they can exerciseall the functions of the bank except the selling of credit and theselling of interest. Minting the equivalent of banknotes will beaccomplished by the mint, storing and moving the money around will beresponsibility of the trader. So the mint and a trader will be able to(1) deposit the money in and move it under the custody of the trader.The mint and the trader will decide to buy a certain stock in the stockmarket, nominal value: $x. Alice will pay the mint, the mint in turnwill buy the stock, and issue digital coin to Alice. At some futurepoint Alice may wish to redeem the coin. The mint at that moment willsell the stock it bought when it issued the digital coin to Alice. Ifthe price of the stock remained constant, then the mint pays Alice thesum of $x, minus a certain service commission. If selling the amount ofstock bought at the time of minting the coin increases by Δx, then Alicewill be paid $x, and the added sum, Δx, will be divided between Aliceand the mint, according to their agreement upon purchase of the stock.They may divide the added dollars half-half, and in the case Alice willbe paid in total x+0.5Δx dollars. Similarly, if the price of the stockplunges by −Δx, then Alice and the mint bear the loss in pre-agreedproportion. This is an example how Alice and the mint cooperate tomanage risk. In a very similar way they can cooperate to buy interest.Alice will pay $x to the mint, and receive in return a digital coinvalued at $x (minus some service commission). The mint will deposit the$x in an interest bearing account in some bank, or buy some bond marketinstruments. When Alice submits the digital coin for redemption, theMint pulls out the invested dollars, and now holds the original $x plusthe accumulated interest: $Ax. The mint will divide the accumulatedinterest between it and Alice as pre-agreed. If Alice and the mintdecide to invest in a risky account which suffers loss, they share thatloss as pre-agreed. This Alice-mint collaboration will readily extend topurchase of any valuable: real-estate, diamonds, mutual funds, etc. Inall these arrangements Alice handles only digital money, the mint usesthe banks and the commodity markets to deal with the physical assets.The banks will remain the place to go to for interest bearing accounts,etc., but the mint will deal with the banks on a wholesale basis, whichis much more efficient than when the banks deal with individual traders.Another fundamental advantage to this trader-mint paradigm is that Alicecan use the minted digital money while the money accumulates interest,or was spent on buying stocks. If Alice pays such a coin to Bob, and Bobdoes not redeem it, then the mint is indifferent to this transactionbecause the interest continues to accumulate, and also the price of thestock or the valuable oscillates as it does. Alice and Bob may agree tosubsequently share the accumulated interest or the appreciated stock(and also share the losses, if any). This leads to the notion of bankingcoalition in which Alice, Bob, Carla, David and any others will usesuch, say, interest bearing coins only within the group for their backand forth payments, making sure they don't redeem these coins. Thecoalition members will have an agreement how to share the profits andloss, and they will achieve what is not achievable in today's banking:they will use money (inter-payments) while depositing the money to letthe money work for them. The coalition members may choose to build acoalition-internal mint where its coins are purchased with coins usedfor investment as described above.

In other words, this here is a method by which a mint entity that mintsand redeems digital money collaborates with traders to jointly earninterest, or jointly gamble in the stock market, or other markets, byhaving the trader pay the mint the investment sum, and the mint,counters by issuing the trader a digital coin for the face value of hisinvestment, and the mint also, right away, deposits the trader's moneyin an interest bearing account, or the mint is purchasing certainvaluables in a stock market or another appropriate market, and such thatany profit or loss from the investment is shared between the mint andthe trader in pre-agreed proportion, and also such that all the timebetween minting the coin in favor of the trader, and the time ofredemption of said coin, the trader may use the digital coin, as if itwere ready money, pay an obligation with it, or purchase goods andservices, such that the recipient of the coin, and anyone to whom thecoin is paid subsequently, also does not request the mint to redeem thecoin.

Payment on Demand (POD) Digital Coins:

The mint will operate without financial risk if it is paid for its coinsbefore it redeems them. In a normal way the mint will be paid uponminting and delivering the coin, but it can also be paid shortly beforethe coin is submitted for redemption by it. Such arrangement will beregarded as payment-on-demand (POD). Alice will buy $x in POD coins. Theterms of payment for these coins will indicate the POD status, and willrefer to Alice as the one to pay for them. Having been issued thesecoins, Alice might use them to pay Bob, who might pay them to Carla, andso on. At one point, say, David submits that coin for redemption at themint. The mint keeps the case “on hold” while it turns to Alice askingfor payment for the coin submitted for redemption by David. If Alicerefuses or is unable, then the mint denies David's request. If Alicedoes pay the $x to the mint, then the mint will pay the same $x to David(applying some pre agreed service fee). Alice benefits from thisarrangement since she needs to come up with the money much later thannormally. The POD scheme has another intrinsic advantage: POD coins canbe spread around, may be lost, or stolen—they are worthless until paid.This attribute can be used for loyalty money. A merchant might sendemails with POD digital coins as attachments. The emails go to manyprospective customers, but only a fraction of them uses the emails tobuy anything from the merchant. Since the coins are POD, the merchant isnot losing the unused money, and only honors the POD coins that comeback to his store, or to a member of the loyalty coalition. As indicatedabove, if the POD comes to the merchant store, the money cycle is mutebecause the merchant submits the digital coin for redemption, and he isthe one responsible for the POD pre-payment.

Selling Credit:

Alice may wish to sell credit to Bob. She will order POD coins from themint, nominal value $x, and will pass on these coins to Bob. Bob at somelater point in time may wish to buy merchandize for $y<$x. Bob willremit to the merchant, the POD coins he got from Alice. The merchantwill submit the coins to the mint to validate them. The mint willrecognize that these coins have not been paid for, they are POD, andwill recognize that Alice ordered them, so the mint will turn to Alice,requesting payment. Alice will have to use some cryptographic protocolto satisfy herself that it is Bob who submitted these coins forredemption, and then she would pay the mint the nominal value of thecoin submitted by Bob, namely $y. Once the mint is paid by Alice, themint will validate the coins to the merchant, or simply pay to hisaccount, either with mint money or otherwise. By so doing the mintconcluded its involvement with the transaction. It will be left forAlice to chase Bob to pay back the credit. It is noteworthy that Alicedoes not have to be a bank, she can be an individual or an organization.Her advantage may be that she knows Bob, or that she has good collateralon his debt. This arrangement achieves functional decoupling betweenAlice that sells the credit to Bob, and between the mint and itsuniversal recognition by the merchant that allows a merchant who doesnot know Bob and does not know Alice to sell on credit to them both,while he, the merchant, remains in the cash equivalent business.

In other words, this is a method by which a mint entity that mints andredeems digital money collaborates with merchants, their customers, andcredit-extending entities (CEE) to allow the CEE to extend credit toselected group of customers, so that these customers can shop with anyparticipating merchant. The method comprising the minting of unpaiddigital coins marked in their terms-of-payment as ‘paid on demand’(POD), and the mint conveying said POD marked coins to a CEE, which inturn conveys said coins, per its risk assessment, to some selectedcredit-purchasers (individuals or organizations) such that the creditpurchasers may use said coins with any participating merchant of theirchoice, and said merchant submits the POD-marked coins to the mint forredemption, and such that the mint, in turn, requests the CEE to pay themint the nominal value of the digital coins submitted for redemption,and such that if the CEE pays the mint, the mint, in turn, pays theparticipating merchant, which, in turn, releases the goods or servicesto the credit-purchasing customer, and thereby concludes the creditbased transaction, except that the CEE and the credit-purchasingcustomer still have to settle the credit-purchase between them.

The invented modality for credit based transactions is depicted in FIG.2: Consumer Credit: Today and Tomorrow. FIG. 2 is explained in detailbelow:

The figure depicts on the left side the mechanism of consumer credittransactions, as it is being conducted today. A consumer is connectingwith a banking establishment (marked by line (b)), and receives from thebank an assessment of his or her credit-worthiness. According to thisassessment the bank exploits its membership in a banks-owned globalcredit network (this connection is marked by line (c). By force of itsmembership in the global credit network, the bank issues a credit cardto the consumer, marked with the brand name of the global credit network(this issuance flows along line (b)). The consumer then identifies somemerchandise offered by the merchant (this identification is designatedby line (a)). Instead of paying cash, the consumer submits to themerchant his or her credit card (along line (a)). The merchant, in turnsubmits this credit request to its bank (along line (e). The merchant'sbank passes the request to the Global Credit Network (along line (d)),and to the consumer's bank (along line (f)). The consumer's bank is theentity that assumed the risk of providing credit to the consumer, and itis its decision whether to approve this credit request. If approved thenthe consumer's bank so notifies the merchant's bank (along line (f)),and the merchant's bank communicates this approval to the merchant(along line (e)). Following the approval the merchant releases themerchandise to the consumer, (along line (a)), and sends the record ofthe transaction to its bank (along line (e)). The merchant's bankrequests payment from the customer bank (along line (f)). The consumerbank pays the merchant's bank (along line (f)), and the merchant's bankdeposits the payment in the merchant's account.

The figure depict on the right side the mechanism of consumer credittransactions, as it is envisioned on account of this invention. One maindifference is that the credit vendor will not necessarily be a bankinginstitution, but any entity so disposed. (The term “credit vendor” hereand the term “credit extending entity”, CEE elsewhere, refer to the sameconcept.) For example, an employer of a consumer is in a good positionto offer credit. The credit vendor will approach the digital mint alongline (h), and request it to issue him digital money marked as unpaid, or‘paid on demand’ (POD) money. That money is stored by the credit vendoron his computer (not in a bank). The credit vendor will then enter intoa credit agreement with the consumer (along line (g)), and provide himor her with digital money marked POD. These digital coins are taken fromthe coins issued to the vendor by the digital mint. The consumer thenattempts to buy some merchandise from the merchant, and pays for it withsome or all of the POD-marked digital coins provided to him by thecredit vendor (this attempt is marked along line (a′)). The merchant, inturn, submits the digital coins to the digital mint, asking to redeemthem (long line (i)). The digital mint then requests said payment fromthe credit vendor (along line (h)). The credit vendor will exercisewhatever validation procedure to satisfy itself that the credit is beingrequested by the consumer and not by a fraudster, and when so satisfied,the credit vendor will pay the digital mint the requested sum (alongline (h)), and the digital mint, in turn, will pay the merchant for thedigital coin presented to it (along line (i)). The payment may be in aform of freshly mint digital coin, or in an earlier non-digital form.

Fiduciary Coins:

Digital coins may be tethered to logical conditions that may reflect theagreement between payer and payee as to the disposition of the money.Today Alice may transfer $x to Bob under an agreement by which Bobcommits himself to certain limitations and certain activities withrespect to the money. If Bob falls short of his commitment Alice maycall Bob to account, but her only recourse, in case of a dispute is acourt of law. With digital money the terms of the payment agreement maybe expressed as terms of payment in the meta-data of the coin, so thatBob will not be able to use the money outside the agreed upon terms.This would give Alice confidence that Bob will abide by the agreement,and will spare her the need to meet Bob in an expensive court battle.Such confidence will encourage Alice to enter into promissorytransactions that overall boost the economy. Alice may be a bank, andBob may be borrowing money for home improvement. In that case thedigital money will only be redeemable by a bona fide home improvementcontractor. Alice may be a rich country lending money to a poor country,making sure the money goes into agreed upon economic developmentactions. Fiduciary money can be used in insurance. The premium payerswill limit their money to be used in low risk investment so that theinsurance company will have resources to pay off if called for. Thiswill alleviate the burden of government insurance inspectors.

Saving Incentive Fiduciary Coins:

Tethered digital money can be used to encourage savings. If Bob has somedegree of freedom in managing expenses then Alice could motivate him byproviding an estimated amount of $x in fiduciary coins, tethered to theanticipated expenses, and by the end of the spending period agree withBob that the difference between the amount he actually spent $y and thehigher sum $x, will be divided between Alice and Bob. Bob's share willbe expressed by removing the tethering on his share, so he can use it ashe sees fit. In this scheme Alice could be a business owner, sending Bobon a business trip, or asking Bob to equip the office with office ware.Or Alice can be a health insurance company giving vouchers-like PODmoney per estimated annual cost, and then sharing the savings per theactual spending.

Digital Money Utility Payment

Home and industrial utilities like power, water, gas, sewer, steam, etc.are normally metered, and paid in response to a post-usage invoice. Thissetup is highly inefficient, and cumbersome compared to a pay-as-you-gooption where no invoice must be prepared, nor mailed, then reviewed, andnot eventually paid-up, and collected. We describe here how to use thecoin-splitting technique described herein to offer a real-time utilitypayment solution

Power supply, in particular, may be a two-way configuration whereconsumers generated power and wish to push it to the grid. A smartpay-as-you-go solution will have to allow for this configuration.

The Utility Payment Solution

The Utility Payment Solution is comprised of a real-time paymentapparatus wherein value bits are paid simultaneously with theconsumption of the consumed utility. It involves a nominal consumptionmeter for the paid utility, integrated with a payment module and aflow-controller, together referred to as the payment-meter. The paymentmodule is comprised of (i) real-time payment calculator, (ii) a meterinterface, (iii) a digital wallet, (iv) a payment interface, andoptionally: (v) payment display unit, and (vi) payment register. TheUtility Payment Solution comes with two categories, modes: Non-Real TimeMint Validation and Real-Time Mint Validation. Using the Dual-StringOption (DSO) for utility payments one could reduce the number of voidbits to a minimum, even to zero. Namely, the entire V string will becomprised of extract-value bits. Or say, I, the interpretation stringwill mark s=1 and e=v. In other words all the v bits in the V stringwill be extract value string.

In the first category the metering and the payment is taking place byerasing or removing pre-purchased bits from the extract-value string, asit is being described in the coin-splitting section. No need forreal-time payment contact with the payment center (the mint). In thelatter category the meter communicates with the digital payment centerto effect the payment. While the latter category offers greatersecurity, it is also more complex, and more expensive.

In both categories, or modes, a real-time payment calculator will bedetermining the number of bits that must be paid for the ongoingconsumption, and when the payment is stopped, the system will affect ausage controller to prevent theft of unpaid utility.

The display unit will inform the user in real time how he or she aredoing—are they in the “green” or are they in the “red”. Namely, are theypaying right now too much, so may be the consumption can be reduced.This real time consumption rate is of particular interest for electricalpower. It makes a big difference what time of the day electricity isconsumed.

Non Real-Time Mint Validation Utility Payment

In this mode the consumption (flow) of a utility will be linked in realtime to the destruction, burning, erasing, or removing of bits from theextract-value string, without the process of redeeming them by areal-time connection to the payment center (the mint). The key to theoperation here is to insure that the burnt bits represent money andreflect either a purchase or a donation (validity).

The validity of the paid bits may be established by a combination of thefollowing validation processes: Source Validation Identity ValidationDelayed Validation

Source validation is a process where the device that supplies the bitsis validated, and with it the burnt bits are assumed bona fide. In theidentity validation the circuitry in the payment-meter will evaluate theidentity of some of the supplied bits to insure that the bits supplysource is proper. The used bits may be accumulated in the payment-meterfor a non-real time, delayed examination which will flush out any fraudor abuse.

The source validation is usually practiced by trusting the integrity ofa bits container, a wallet, that the bits it contains are bona fidepayment bits. Something in the hardware, or the features of the walletwill provide that assurance for integrity. One of the industryestablished “cryptographic hand shaking” protocol will be carried out toinsure the validity of the source without checking or validating thebits themselves. Bit identity validation may be carried out using theconcept of under-randomness in which the bits appear random but aresubject to a cryptographic validation based on their identity.

The Payment Module

The Payment module involves a nominal consumption meter for the paidutility, integrated with a payment module, together referred to as thepayment-meter. The payment module is comprised of real-time paymentcalculator a meter-interface a payment interface a digital Wallet; andoptionally: payment display unit payment register.

The payment module first gets a reading from the flow meter as to theflow rate of the paid utility. The reading may be analog and in thatcase it is converted to digital, or it may be already in digital format.This reading and potential conversion happens in the meter interfacesubsystem. The reading is then transferred as input to the paymentmodule. The payment module incorporates all the factors used by itspayment formula, and translates the flow reading to payment rates.

Real-Time Payment Calculator:

The Real-Time Payment Calculator receives as input the rate ofconsumption of the paid utility, U*(in utility quantity units, U,divided to time unit, Δt.), and computes the rate of payment P*(bits persame unit of time Δt). This computation is based on: (i) time ofpayment, t, (ii) payment factors, F, (iii) and the rate formula, f:

P*=f(U*,t,F)

The payment factors may be static or dynamic. They may be locallysensed, or may be remotely communicated. Some factors may be downloadedfrom a central location, others may be communicated interactively fromneighboring devices. The payment formula may need the detailed orintegrated history of the utility flow. Time may refer to time of day,day of week, day of month, month and year. In its basic version theratio P*/U* will be fixed and reflect how many payment bits are to bepaid per a given consumption of the paid utility.

There is special consideration for power (electricity) payment. Powershould cost more in peak times, and less in off hours. Power may be moreexpensive in days where the limit is approached, and less in calmerdays. Rate may be dependent on the source of power.

Purchase of Electrical Power:

Electricity has unique features among nominal utilities: (i) it can't bereadily stored, (ii) its cost of production depends on momentary demand,(iii) it supports two-way flow, (iv) it is supplied from various sourcesat different rates, and (v) it is subject to proactive governmentincentive programs. All these factors combine to a rather complexpayment calculator, depending on a variety of factors.

Two-Ways Electricity Flow Payment:

Electricity can be generated locally by consumers who are also connectedto consume from the grid. The locally generated power may be used inlieu of the grid supply, and at time may exceed the supply, and mayengender a new back-flow from the consumer to the grid. Such back-flowis necessary because electrical power does not store well. The DSOsolution will have to account for both the in-lieu mode, and theback-flow mode.

The In-Lieu Power Use:

In that case the meter-payment system will have to include a two waysupply: the grid, and the local supply. It will also include a selectorthat would give preference to the locally generated power ahead of thegrid. The locally generated power may be free of charge or charged at adifferent rate. The payment module will compute the payment for eachsource.

Back-Flow Power Use:

To accommodate this feature the payment module will include two ‘cashregisters’ one for “spent bits” the other for “redeemed bits” alsocalled “credit bits”. As the grid supplies power, the payment bits arebeing consumed, but instead of erasing them or sending them off to themint for validation, these bits will accumulate in the spent box up to apreset limit, S. This transfer of bits will follow the proceduredescribed in the coin-splitting section. Once the limit of bitaccumulation is reached, the additional spent bits will be erased orsent to mint as the case may be. If, at a given point the consumerconnects with a power source (a battery, a dynamo connected tostationary bicycle, a backyard windmill, a solar system or alike), andthe power he or she supplies exceeds their consumption at the time, thenthe overflow is sent as power source to the grid, and the grid will payfor it, per established rates. The payment calculator will take thereading of the amount of power supplied to the grid from the consumerand apply the rate formula to compute the amount of money to be creditedto the consumer. That amount, translated to bit-count will betransferred real-time from the “spent box” to the “redeemed box” or“credit box” as it is also called. When the consumer, at a later point,resume purchasing power from the grid, then he first pays with theredeemed bits that accumulated in the ‘redeemed’ or credited cashregister. When the redeemed box has exhausted its bits, the paymentresumes from the latched bit container.

This solution is based on the assumption that the reverse direction ofpower flow is a small fraction of the power consumed. If not then oneshould apply the payment procedure for nominal grid suppliers.

Digital Money Payment to Nominal Grid Suppliers:

Two solutions are presented: The non-real time connectivity solution.The real-time connectivity solution

The Non-Real Time Connectivity Solution:

The solution here involves: (i) the power supplier, (ii) the powercompany that buys electricity from the supplier, and (iii) the Mint. Thedevices needed are: (a) a dedicated power-payment apparatus, (b) adigital wallet, and (c) a used-bits storage device.

The power supplier (i), connects to the grid, and the electricity flowis captured by a meter, and computed based on a variety of factors tocredit in favor of the supplier. This credit is expressed as a number ofbits. The meter-payment apparatus (a) will have a digital money bitholder (wallet) attached to it (b), and bits from it will flow per thecomputed measure to the used-bits storage device (c). However on theirway from the wallet to the storage device [(a)-->(b)] the bits will beencrypted with a cryptographic key that is securely embedded in thepayment module.

At some arbitrary point in the process, the power supplier (i) will sendthe bits that accumulated in the used-bits storage device to the powercompany (ii). The power company will decrypt the bits sent to it, thensend these bits to the mint (iii) to confirm that they are the true bitsfrom a mint's wallet that was purchased for the purpose. This will serveas proof that those bits represent power that was supplied to the powercompany. Having been satisfied that it received the claimed power, thepower company (ii) will then reimburse the power supplier for his powersupply.

This represents a new use of the DSO option. The power supplier buys adigital money stick (wallet) for a nominal fee, say N. When these bitsare proven to have been extracted from the wallet against a measuredamount of electricity supplied to the grid, then the supplier claims apayment from the power company for his supplied electricity. Let thispayment be P. The difference (P−N) is the net payment to the supplier.The profit for the Mint is N plus any service fee the Mint will collectfrom the power company, S. The power company will pay (P+S) for thepower it received, but there are no additional accounting efforts.

The integrity of this scheme is based on the hardware integrity of themeter-payment apparatus. Each such apparatus will be fitted with its owncrypto key (using perhaps the same cipher). As long as the crypto key isnot compromised, it is impossible for the power supplier to present thespent bits to the power company without them having been first processedby the meter-payment complex. It is noteworthy that the crypto key inthe meter-payment apparatus is not known to the Mint. It is only knownand used by the power company.

The Real-Time Connectivity Solution:

In this mode the meter is connected to the power company. As power isbeing supplied, the power company sends bits to a bit receptacleprepared by the supplier to receive these bits—in a method akin to thedescription in the Coin-Splitting section. At any point the suppliercollects the accumulating bits, sends them to the Mint forauthentication, and then he or she either uses these bits for anypayment they wish to make, or they ask the Mint to credit them with fiatcurrency instead. In this solution the exchanged bits are universal. Inthe former solution, the exchanged bits may be dedicated for the powerexchange purpose.

Assuming a wide spread deployment of cell-phone towers, and internet,one could build an IP-based payment solution. The consumers will buypayment sticks, latch them into the electronics of the solar energycontraption, and once the payment stick (wallet) is validated by themint, it sends an activation signal to start consuming and paying forsolar energy. In practice, the solar investor company may receive thecoin id from the latched in digital coin, pass that data to the Mint,and when validated, the investor will send the activation signal to thesolar supply. The activation will last as long that that latched digitalcoin has remaining bits.

A simpler, non-real-time-validation-by-the-investor solution is asfollows: the meter-control electronics is linked to commensurate bitsupply to facilitate payments. The identity of the bits is not real-timevalidated by The mint, and the integrity of the payment is maintained inother ways. Some of them are: Cryptographic Handshake and Secretidentity

The cryptographic handshake solution is based on wrapping the digitalpayment bits in a wallet, a “coin” that would have to identify itself asbona fide to the meter-payment electronic contraption at each user'ssite. In the simpler way there would be the same handshake for allsites, in the more advanced implementation, each site will have its ownidentification.

Any of the prevailing access and authentication protocols can be used toinsure that the wallet that is being latched to effect the payment is abona fide wallet, and not a false one. preferably a challenge-responseprotocol will be used. So, for example, using a particular cipher thepayment module will include a secret key that is secured via thehardware construction of the module. This will allow the payment moduleto use a random plaintext as a challenge to the wallet as it is beinglatched in. The wallet will encrypt the plaintext using its key, andsend back the ciphertext. The payment module will also encrypt therandom plaintext, and compare the two ciphertexts. if they agree, thenthe conclusion is that the wallet has the secret key, and hence is bonafide.

In this handshake mode the identities of the payment bits are notverified per se, what is verified is that they are coming out from abona fide payment wallet, or coin, and hence are to be trusted. Thesepayment bits as they are being used, consumed, by the payment module,they don't go anywhere, and they are simply discarded. The payment iseffected when the user is buying the wallet.

In the secret identity mode of non-real-time bit verification mode, thevery identity of the payment bits only looks random, but in fact ispseudo-random, and is very carefully contrived. Using commoncryptographic means one would mint as many coins as necessary. When eachof these properly minted coins is served as a bit payment source thenthe payment module verifies its bona fide status, and allows for thepayment to proceed. If the test fails, namely the identities of thepayment bits are not passing the crypto test, then the payment isstopped, and the power supply is shut down.

A Meter Interface:

The meter interface (i) reads the utility consumption rate from themeter, (ii) it communicates with the other components of the paymentmodule, and (iii) it sends a “GO/No-GO” signal to the flow-controlmodule indicating whether the utility is allowed to flow normally, toflow under constraints, or to stop altogether.

A Digital Mint (Payment) Interface:

The payment interface receives the real time bit payment needed to payfor the real-time consumption of the paid utility. The input is thenumber of bits needed to effect the payment. These bits are extracted bythis interface from the Digital payment wallet—the coin—the Digitalpayment stick that houses the payment bits to be paid. Following theirextraction from the wallet three options are possible depending on theimplementation scheme: erasure, dispatching to a dedicated spent bitscontainer, communicating the bits for real-time payment validation.

Erasing the bits is the simplest operation. The bits are thenirretrievable. Dispatching to a dedicated spent bits container may beused in two options: for delayed validation and for payment reversal

Payment of utility may be implemented with a delayed validation of thespent bits. It may be too burdensome to real time validate the bits, andin that case one would take the spent bits every so often to acommunication station, and validate the bit identity after its use. Ifthere is a problem then per policy, an invoice will be sent, or theservice will be cut off, equipment removed, etc.

We have seen that in case of electrical power, the user might have anoccasion to sell the power company some electricity generated by him orher. In that case the user, or consumer will earn credit, and that wouldbe in the form of pulling bits out of the spent bits box and deposingthem in a dedicated credit bits or redeemed bits box, from where thebits will be paid “again” when the consumer returns to buy power fromthe power company.

In real time applications, the payment interface will send the bits,through IP for The mint to validate them real time. All these functionsare covered by the payment interface.

A Payment Wallet:

The wallet may be generic and simple for the case when the bits arereal-time validated by The mint, or it may be at various levels ofprotection and sophistication if no such real time validation takesplace. The risk for the non-real time validation is the replacement of apayment wallet by any random string of bits that are being extracted anddisposed as if they were payment bits. To prevent this without real timevalidation or subsequent validation it is necessary for the wallet toproject hardware integrity. The wallet will have to be constructed withfeatures that would be required by the payment interface, and thatwithout them the payment will not be carried out. These features shouldbe difficult to emulate either on account of technological difficulty oron account of secrecy, or perhaps a combination.

Of particular interest may be the under-random digital coin in which theidentity of the bits is not fully random, only under-random, namely thebits appear random to a viewer yet their construction is such that thepayment interface will be able to distinguish between a bona fideDigitally minted coin, (“wallet”), and a look-alike. As explained here,the system offers a cryptographic assurance for the integrity of thepaid bits.

Payment Display Unit:

This unit is optional. It is designed to offer the user real timedisplay of his use of the paid utility. The display may be an audiosignal or a visual, or perhaps both.

Audio Usage Display

The idea here is to alert the user that the utility he so dearly paysfor, is now rising in its consumption, and so perhaps it will make senseto shut some systems off The signal may be a shrieking noise, or it maybe a period alarming signal depending on the degree of consumption, oron the degree of attention required.

Visual Display:

The visual display may range from a threesome dot light: green, yellow,red. indicating increasing level of consumption. It may be a coloredgraph, it may be a detailed table, or perhaps a combination of some ofthe above.

A numeric display might show rate of use at the moment, integrated usefrom a given reference point (early this day, this week, this month),and comparable or average figures.

In a more sophisticated version the payment unit may be fed fromdownstream consumption data (from downstream meters), and accordinglydisplay advice to the user what is best to shut down.

Payment Register:

The Payment Register complement the working registers of bit-boxes thatare part of the payment unit. It may be used as an easy latch-on,latch-off for new and old bits. The removed bits may be sent to The mintfor delayed validation.

Utility Flow Controller

The utility flow controller is a component that controls the flow of thepaid utility. In its basic form it is simply a go/no-go device. If theconsumed utility is properly paid for, its status is a ‘go’, if nopayment was made (no bits available for payment), then the paymentmodule unleashes a “No-GO!” signal, and the utility flow stops. It kicksback in the moment that fresh authorized Minted bits are available tothe system.

The flow controller may have built in sophistication in the form of:delayed flow stop; rate of flow ceiling; or conditional flow.

The “delayed flow stop” action is simply a grace period, counted fromthe moment that no payment bits are available. The grace period may beindicated by an audible signal or other means to alert the user that hispower, water, gas, etc. is about to be stopped.

The rate of flow ceiling is a mechanism whereby the controller allowsonly a preset consumption rate designed to prevent normal usage (untilpayment is made), yet, without imposing a total cut-off, which mighthave serious consequences to the unsaying user. So, for example, thepower supply will be limited to support a refrigerator and some lightbulbs, but not the air-conditioning system, nor the dish-washer, etc.

Conditional flow may refer to time of day, date, demand by neighbors, orany other logical term designed to affect a distinction between wellpaid utility and unpaid utility. Any combination of all three options isalso possible.

Various embodiments include a method to pay for utility consumption on areal-time basis by splitting digital coins at a rate that pays exactlyfor the utility measure being consumed; the digital coin being latchedinto a utility usage device equipped with a computing apparatus thatmatches the consumption of value bits from the latched digital coin tothe real time consumption of the utility; the utility flow is stoppedwhen no more payment bits are available.

In various embodiments of this method the split off (paid) value bitsare erased, and the utility company is paid when the digital coin ispurchased.

In various embodiments of this method the split off (paid) value bitsare accumulated in a receiving coin (bit container), and from where theyare being returned to the original latched coin, in the event where theutility consumer generates a measure of the utility, which is being soldback to the utility company, as is common with electrical power.

In various embodiments of this method the paying coin is in a form of atamper-resistant hardware, and a validating cryptographic protocol isused to verify the paying coin as bona-fide.

In various embodiments of this method the paid bits are sent to theutility company which eventually redeems them with the mint

Erosive Intractability Immunized (EII) Cryptographic Money

We introduce here the apparently novel concept that cryptographic moneymust be immunized against the threat of erosive intractability.Practically all cryptographic primitives and cryptographic ciphers todayare threatened by erosive intractability—meaning: they are based onassumed—not proven—intractability that is continuously eroding as morerelevant mathematical insight is being gained, and faster computers cometo the fore. The rate of intractability erosion is unpredictable, andhence any cipher, or cryptographic scheme that is based on erosiveintractability is not suitable as a basis for cryptographic money, (alsoregarded as digital money, digital coins, or digital currency). Thebasis for a durable and hence acceptable currency must be acryptographic procedure that is immunized from erosive intractability.

Key-Indefinite Cryptographic Money:

Let M be a digital money generating algorithm. Let the Mint be theauthority that generates, issues, mints the tradable digital coins undersome acceptable trading environment. Let there be a binary string K, oflength k bits known as “the Key”. The Mint applies K via M to mintcoins. Let the Mint generate some n coins C₁, C₂, . . . C_(n) whichcirculate among the participating traders. Let M either be a-prioripublic (in order to convince the traders that the digital money mint isrobust), or let M be an initial secret which eventually leaks to thepublic knowledge. If M is a regular, definite algorithm then afraudster, aware of M may apply the “brute force” approach and try all2^(k) possible keys until he mints an exact image of a bona-fide coin,and passes it as a traded value, thereby breaking the system. In anindefinite cryptographic setup M will be such that in order to mint acryptographic coin, one would use a key of indefinite size, namely, thekey, K, comprised of k bits such that k=1, 2, . . . infinity, and henceit will be impossible for a fraudster to apply any means to exhaustivelycheck a finite number of possibilities and mint an image of a bona-fidecoin.

Using U.S. Pat. No. 6,823,068 as an Indefinite Cryptographic MoneyScheme: U.S. Pat. No. 6,823,068 teaches us how to encrypt any sizeplaintext using any size key. Accordingly one would use said patent tomint cryptographic money. In particular one could increase the size ofthe key at will and thereby correspondingly increase the burden on thefraudster trying to mint an image of a bona-fide coin.

Feedback Indefinite Cryptographic Money

Let P represent the plaintext version of a digital coin, and C representthe corresponding ciphertext of P. Let the cryptographic money scheme bebased on distributing C, and validating it by converting it into P. Afeedback indefinite cryptographic money will be money that when its Cversion is being used as a source to devise its corresponding P versionthen by exhaustively analyzing C one harvests p different plaintextcandidates: P₁, P₂, . . . P_(p) such that all p options are plausible.The larger the size of p, the greater the terminal undecidability of theplaintext version of the coin. And since the p options are derived froman exhaustive analysis of C, no further mathematical insight, nor fastercomputers will reduce the field of p plaintext options for the coin, andthe larger the value of p, the greater the security of the scheme.

Randomized Value Coins:

EII cryptographic money may be based on a randomized value string. Let Rbe a randomized string of size r bits. The attribute ‘randomized’indicates that the identity of the bits that express the value of thecoin are determined by a true random process, as may be developed bylogging the behavior of a radioactive decay of a radioactive source, inthe standard fashion of counting the decay events, and, for example,recording as one if the number of decay events (atomic disintegration)over a set period, say 10 nanoseconds are above average and recordingzero if the number of decay events is below average. Other truerandomization sources will do too, and for less exactingimplementations, a pseudo-random process will do too. If R, which, asindicated, is truly randomized, and it fully carries the value of thestring then any encrypted result of R cannot be cryptanalyzed even bybrute force approach because almost every key in the key space that isbeing used, yields a randomized looking string, so the cryptanalyst willdistinguish no distinction between the string that represents the valueof the coin, and most of the other 2^(r)−1 strings, which arerandom-looking. This case will qualify as feedback indefinitecryptographic money.

A Case for Randomized Value Coins: Dual String Option (DSO)

One builds a digital coin comprised of five concatenated strings: (i)the coin identity-string, (ii) the coin value string, (iii) the coininterpretation string, (iv) the coin attributes string, and (v) coincryptographic parameters. The coin-identity string will comprisecharacters that will identify each coin through a unique identifier.This unique identifier, Id, will be used to establish an easilysearchable database of the coins, and otherwise reference it as needed.The coin value string, V, is comprised of v perfectly randomized bits.Namely the value of each bit, one or zero, is determined without anypreset rule or formerly established order, and independent of the bitidentity of all other bits in the string. Consequently, all 2^(v)possible strings of size v bits could pass as the value string, and acryptanalyst will have no grounds to rank these 2^(v) strings by anyorder of probability. The coin interpretation string, I, will carry thedata needed to extract the value of the coin from the value string V.The idea being to express the coin via two strings: one a pattern basedscreen (I), and one perfectly random string (V), where the random stringwill insure the undecidability that will qualify such a minted coin asfeedback-indefinite cryptographic money. This dual-string options willbe implemented in various ways. 1 I-V separation method 2. I-V mixmethod

I-V Separation Method: In this implementation the value of the coin perse is determined by the interpretation string I, and V is used forvalidation of holding or being aware of the coin. String I is comprisedat the very least two parameters, (1) scale, and (2) end-points.

The scale is a measure of how many dollars correspond to a bit −d. Theend points indicate the starting bit (by count from the beginning of V),s, and the ending bit, e, also counted from the beginning of V. Thevalue of the coin will be determined by the following formula:

{dollar value of the coin}=d*(e−s+1)

The bits in the string from bit s to bit e, are the hidden value bits ofthe coin. The bits 1 to s−1 and e+1 to bit v, serve purely fordistraction and confusion of fraudsters.

Example: the value string V of a coin is given as:1001100110011001011110

It's length v=22. V may be coupled with an interpretation string I thatindicates: d=0.1$/bit, and s=4 and e=12. The value of this coin is givenby: {coin value}=0.1(12−4+1)=$0.90. The identify of this $0.90 coin isgiven by the substring of V from s to e: 110011001

I-V Mixed Method: In this implementation the value of the coin isdetermined jointly by strings V and I. The I string specifies thestarting bit s (in string V) and the ending string e, (in string V),such that bits 1 to (s−1) are meaningless, and the same with respect tobits (e+1) to v. The interpretation string I also indicates d—the $/bitbasic ratio, but it also indicates m—where m is the number of bits,beginning with s and continuing with s+1, s+2, . . . until s+m−1, suchthat the numeric value of these m bits represents a multiplier tomultiply the basic $/bit ratio with in order to get the applicable $/bitratio of the string that begins with bit s+m, and ends with bit e.

{coin value}={value of the m bits multiplier string}*d*(e−s+1−m)

For example, the above illustrated 22 bits V string with a correspondingI string specifying: s=4, e=12 and d=$0.10 will also specify m=3.Accordingly the multiplier string: bits s, s+1, s+2 will be read fromstring V to be: “110” which is the binary expression for the decimalnumber 6, and hence: {value of coin}=6*0.10*(12−4+1−3)=$3.60

In the mixed I-V implementation neither the I string alone, nor the Vstring alone determine the value of the coin, but both together do. Inthe I-V separated implementation the I string determines the value ofthe coin, and the V string provides its identity.

The coin-attributes string will contain various attributes of the coin.For example, the attributes will dictate time (date) when the coinbecomes valid for trade, and a later date when the coin expires, andbecomes valueless. The attributes might designate the allowedredeemer—the person, or the group of people, who are designated asbona-fide agents to redeem the digital coin against other forms ofmoney. Similarly, the attributes will specify any logical conditionrequired to be fulfilled in order to redeem the coin.

The coin cryptographic parameters will be keys and data needed toexecute cryptographic protocols. For example, the coin identificationstring, the coin interpretation string, and the coin attributes stringmay be signed by the mint using its private key in an asymmetricencryption. The cryptographic parameter will contain the signature,which will be interpreted by a trader using the mint's correspondingpublic key, and comparing the signature to the expected signature fromthese strings as they appear in the coin. This is a standard way toascertain the bona fide integrity of the strings of the coin. Thisminting procedure allows for digital coins to be of same bit size (bitcount) regardless of value. This attribute is very important fordatabase operations regarding the coins.

Double-Bitting:

In some applications it may be helpful for the mint to convey partialcoin information to its agent, so that the agent will have sufficientcoin information to independently authenticate a coin and authorize itsredemption, but will not have enough information to claim the coin forredemption at the mint. This might be accomplished by randomly selectingsome bits within the extract-value substring of the value string V, andmasking the identities of these bits. In order to express coins withsome of the coin bits written with hidden identity one could use twoconsecutive bits to express a single bit. The following mapping may beused. To express a bit with identity “0” one would use two consecutivebits written as “01”. To express a bit with identity “1” one would usetwo consecutive bits written as “10”. To express a bit with maskedidentity, one would use two consecutive bits written as “00”. Theremaining combination: “11” will be used to indicate a start and end ofa string. Using this scheme one could mask the identity of any bit in astring at a cost of doubling the size of the strings.

FIG. 3 depicts the structure of Dual String Option digital coin, inaccordance with various embodiments. In part (a), FIG. 3 shows thestructure of the digital coin where N represents the identification(name, number) of the coin, A represents the coin attributes string, Vrepresents the coin value string, I represents the coin interpretationstring, and C represents the string that contains cryptographicparameters. The coin value string, V is comprised of pseudo random bitsand perfectly random bits. The coin interpretation string I contains thefollowing parameters: d—the $/bit factor, s—the bit count in V where theextract value string starts, e—the bit count in V where the extractvalue string ends. The figure features the formula used to determine thevalue of the coin. The identity of the coin is carried by the identitiesof the bits s, s+1, s+2, . . . e (the extract value string). Theidentities of all other bits in V (namely: 1, 2, . . . (s−1), (e+1),(e+2), . . . v) are inconsequential. Each coin holder can replace themwith his or her own set of pseudo-random identities. Albeit, to redeemthe coin, the redeemer will have to know the exact identities of theextract-value string: bits s, s+1, . . . e . The underlying idea here isthat the coin is expressed per identity and value by two strings: I andV, where V is a randomized string that successfully resists any attemptto discern a pattern therein. While it is best to build theextract-value string (bits s to e) from perfectly randomized bits (likemeasuring radioactive decay), one could implement the method usingpseudo-random bits for these extract value strings.

In part (b), FIG. 3 shows how the V string can contain any number ofextract-value sub strings. The starting bit and ending bit in V of eachsuch extract value string (or say, equivalently: substring) isidentified in I, the coin interpretation string, which also identifiesthe $/bit value for each extract-value substring. The value of the coinis the sum values of all the extract-value substrings that comprise it.In the drawing three such extract value substrings are shown. One coulduse this multiple extract value string configuration to build a coinfrom various size sums so that one could use the coin splitting method,and split off cents, or parts of a cent, split off dollars, hundreds ofdollars, thousands of dollars, or any other resolution, where eachextract value string corresponds to one such resolution by its specified$/bit d value. One would make sure that for each string the value of(e−s) is sufficiently large to insure overwhelming odds against a wildguess of the coin identity.

The Foremint

The mint minted digital coins may be passed to another entity that wouldadd information to the coin before releasing it for trading. That entitymay be called a foremint The foremint will add ‘foremint strings’ thatwill include foremint added identification string (fm_(id)), andforemint added attributes string. This will allow the foremint to addinformation to the digital coins minted by the mint (also known as thecore mint). The foremint will pass to the traders the coin with the coremint's string and the foremint's string. The foremint may use its ownpublic/private keys to sign its add-on strings, and insure theiridentity. A coin processed by a foremint will have a proper indicationfor such an add-on, written in the attribute string, or specialparameters string by the first mint (the core mint). If the foremintadds conditions for redemption of the coin, then the core mint will notredeem this coin without those conditions being met. The foremint maydecide to redeem a coin by its trader, then redeem that coin at the coremint, as the case may be.

Multiple Extract-Value Strings

The value string V is comprised of bits that identify the coin by theirvalue pattern—these bits comprise the ‘extract value string’, and allthe other strings that are present in order to deny coin fraudsterstheir fraudulent goal. These other bits are to be referred to as ‘voidbits’. As described above the value string V is comprised of an extractvalue string spanning between bit number s to bit number e, and fromvoid bits: bits 1 to (s−1), and bit (e+1) to bit v.

The concept described above where the V string features one singleextract value string may be extended to multiple value strings that arepositioned at various spots in the V string. Each extract value stringwill have corresponding data in the corresponding coin interpretationstring, I, and each extract value string will have a correspondingdollar value. The dollar value of the coin will be the sum of the dollarvalues spread across the V string.

For example: let V be the following 42 bits string:

-   -   V=100100111000011110101010001111101100010110

The corresponding interpretation string I will feature three extractvalue strings: Extract value string 1: d=$2.50/bit m=2, s=3, e=11.Extract value string 2: d=$10.00/bit m=3, s=13, e=22. Extract valuestring 3: d=$0.10/bit m=4, s=30, e=40. Examining V, one concludes:

Extract value string 1 is: 010011100 and since m=2 the conversionmultiplier M=1 and the dollar value of this extract value string (valuesubstring)=2.50*1*(11−3+1−2)=$17.50Extract value string 2 is: 0111101010 and since m=3 the conversionmultiplier M=3 and the dollar value of this extract value string (valuesubstring)=10.00*3*(22−13+1−3)=$210.00Extract value string 3 is: 11011000101 and since m=4 the conversionmultiplier M=13 and the dollar value of this extract value string (valuesubstring)=0.10*13*(40−30+1−4)=$9.10

And the value of coin is the summation of the values of the substrings:$17.50+$210.00+$9.10=$236.60

Encryption

The essential feature of this digital money is that the mint usesperfect randomness to build the extract-value strings. Such areradioactive decay, which is considered perfectly random. In that sensethis may be regarded as quantum physics based coin minting. The voidbits may be determined using a pseudo-random process. The extract-valuestrings and the void bits will form a random looking string, V, that islikely to satisfy all the prevailing standard of randomness. Hence,using any nominal encryption over the value string will result inanother random-looking (pseudo-random) string. So the encryption willconvert a pseudo-random string to another pseudo-random string. Thiswill deny the cryptanalyst the ability to apply “brute force” to breakthe encryption because every tried key will yield a bona fidepseudo-random bit sequence, and there would be no positive feedback toindicate if a used key is the right key or not.

A cryptanalyst might try to break the encryption by eavesdropping on thecoin passed from the mint to its first trader, and thereby catching theciphertext of the value string. Then the cryptanalyst will sell somemerchandise to the recipient of the coin, and will receive the coin aspayment—this will give the cryptanalyst the plaintext of the coin. Nowgiven the plaintext and the ciphertext, the cryptanalyst will regain thepower of brute force approach (or accelerated brute force).

There are several remedies to this threat: (1) the large key remedy, (2)one-to-many encryption option, and (3) re-voiding.

The Large-Key Remedy:

By employing a sufficiently large key one reduces the threat of bruteforce discovery of the trader's key. The size of the value string V maybe standardized, say to 10,000 bits or, say 100,000 bits, and then onecould proportionally extend any given block cipher, like DES or AES andapply it to the standardized size of V, by using a proportionally largekey. The typical block cipher creates a very good mix of all the blockinput bits. In this case this will generate a good mix of the void bitsand extract value strings. One might device a dedicated cipher, usingthe ideas in DES and AES, featuring transposition cycles of the entire Vstring, (the block), and corresponding substitution boxes, where the keymay be of any size and from which v-bits size keys can be extracted toeffect exclusive-OR bit by bit operation over any transposed orsubstituted version of the original v-bits size value string V. Like inDES or AES, several cycles may be used. The underlying idea being toachieve a good mix of the v-bits of the V string, such that thevoid-bits and the extract-value coin bits will form a randomizedcombination resisting cryptanalysis.

One-to-Many Encryption:

A one-to-many encryption where the size of the ciphertext isconsiderably larger than the size of the plaintext will allow for arandom selection to determine the choice ciphertext that will encryptback to the plaintext. Accordingly the cryptanalyst holding both asingle ciphertext and the plaintext might analyze the situationexhaustively and find many encryption keys that would lead from sameplaintext to same ciphertext, resulting in residual entropy and notsufficient data to determine which of the possible keys is the oneactually used. And since both plaintext and ciphertext are bona fidepseudo-random strings, there is no feedback to guide the cryptanalyst.

Use of U.S. Pat. No. 6,823,068 for One-to-Many Encryption:

U.S. Pat. No. 6,823,068 is a one to many encryption where the key may bedesigned to create a much larger ciphertext size string than a plaintextsize string. This will allow for a large spectrum of possible keys to beused for converting the plaintext to the ciphertext.

Re-Voiding:

The idea here is that each recipient of the coin will re-populate thevoid bits with some pseudo-random number generator, before encryptingthe value string with the key of the next recipient of the coin. Thiswill further frustrate the cryptanalyst and will deny him the ability tohold a matching pair of plaintext and ciphertext. The ciphertext whichthe cryptanalyst will catch from the transfer of the mint to the firsttrader will correspond to a different plaintext from the one he will begetting from that first trader because the first trader will re-populatethe void bits.

In order to a redeem a digital coin, the redeemer will have to prove tothe coin redeeming agency that she has the exact identities of all thebits in the one or multiple extract-value substrings within, V, thevalue string of the coin. Partial knowledge of some of the bits is notsufficient. And because the identities of those bits is perfectly (ornear perfectly) random, then for sufficiently large number of such bitsthe chances of defrauding the system by guessing or inferring theidentities of those bits are exceedingly negligible. The mint decideshow many bits are needed to express a given value, and it can decide touse a large number of bits for large sums of money.

Coin Splitting

Using the EII digital coins a first user (Alice) could transact with asecond user (Bob) in a continuous payment mode with very low, or veryhigh payment rate per event or per unit of time. Let Alice be inpossession of a $10.00 coin comprised of 10,000 bits value string, V.Within V there is a single extract-value string that is 1000 bits long,stretching from, say bit s=1201 to bit e=2200. Let the effective $/bitconversion rate be $0.01/bit. Suppose now that Alice wishes to pay Bobat a rate of two cents per minute for some continuing service Bobprovides her. To do that Alice will first pass to Bob her coin at zerovalue. This would be the same coin as hers, using the same identity, andthe same payment attributes. Its value string V will be also 10,000 bitslong, only that Alice will send Bob 10,000 pseudo-random bits, and theinterpretation string I will be say s=2201, and e=2200. Accordingly thecoin owned by Bob will be worth $0.00. Bob will be able to confirm withthe mint that Alice's coin appears valid and not redeemed. Now as thepayment period starts, then after 1 minute Alice owes Bob 1 US cent. Shewill then pass to Bob the identity of bit number 2200, and decrement thee value in its coin from 2200 to 2199. Bob will place the bit identitygiven to him by Alice in his value string, into bit number 2200, andwill set his s value to 2200. These actions will cause Alice's coin tolose 1 cent in value because Alice's extract-value string now spreadsfrom s=1201 to e=2199, which corresponds to the length of theextract-value string of e−s+1=2199−1201+1=999, with a correspondingvalue of $9.99 given the $/bit conversion rate of $0.01/bit. So bypassing the identity of the single bit from her coin to Bob's, and bydecrementing the value of the e bit from 2200 to 2199, Alice hasadjusted her coin to rate at one cent less than $10.00. At the same timeBob's value interpretation string shows an extract-value string ofe−s+1=2200−2200+1=1, and per the same $/bit conversion, Bob's coin willrate at $0.01. So the net effect was a split of the original Alice cointo two coins where Alice coin is worth $9.99 and Bob's coin is worth$0.01—together they are worth the $10.00 which Alice's coin was worthbefore this transaction setting. When another minute passes, theelectronic circuitry between Alice and Bob passes the identity of thenext bit from Alice to Bob. Alice, then decrement its e setting frome=2199 to e=2198, and its extract-value string is now:e−s+1=2198−1201+1=998 bits long, which is valued a $9.98 (one cent lessthan a minute ago). Bob receives the identity of the bit sent to him byAlice, and places this bit at position s=2199. His extract-value stringis e−s+1=2200−2199+1=2 bits long, which corresponds to a value of $0.02.Again the sum values of Alice's string and Bob's string is $10.00, butAlice's string decrements its value 1 cent/minute, and Bob's stringincrements its value 1 cent/minute. If Bob's service to Alice lasts 20minutes, then after 20 minutes Alice stops the flow of bit, and by thenshe has marked her e value to be e=2200−200=2000, and her extract-valuestring is: e−s+1=2000−1201+1=800 bits, or $8.00 of value, while Bob'svalue string shows s=2001, and it comprises: e−s+1=2200−2001+1=200 bitsor $2.00. At any point during the continuous payment transaction thatlasts 20 minutes, Bob could contact the mint with the identities of thebits that Alice sent him, and validate with the mint that the bits areproperly identified, and the payment is bona fide. Alice, if she lateron sends the $8.00 coin to, say, Carla, will first re-void the bits from1 to 1200 and from 2001 to 10,000—meaning she will populate those bitswith pseudo-random values. So will Bob do when he pays his $2.00 coinfurther.

The described digital coins minting procedure allows for coins to be offixed size regardless of value, but at the same time it allows for coinsplitting at any desired resolution without having to negotiate with themint each time around. Splitting will happen by passing coin bitsbetween payer and payee at the agreed upon rate.

Expiring Digital Coins

The expiring digital coins program (EDC) works as follows: a group of nasset holders, player, may wish to play-trade with their assets. Theywill choose an EDC operator who would mint digital coins with a setexpiration date Te+r, where Te is a set time point, and r is anextension of Te, and it has a value that will be determined at timepoint Te. The group puts in play n assets: A₁, A₂, . . . . A_(n) andeach player receives EDC coins in the amount corresponding to the valueof the asset he or she put into play. Once done, the ‘trade-game’proceeds in a series of ‘rounds’. The rounds are punctuated in time, forexample one round per hour, or one round per day. So that the expirationtime point Te corresponds to a set number of rounds. Before the tradebegins each player owns the asset he or she put into play. A first‘round’ is announced by the EDC operator. In a round each player bidsany amount of his choice from the EDC coins he holds, on any of the nassets. A player can distribute his EDC coins among several assets orconcentrate his or her bidding on one asset. The bidding is secret. Eachplayer informs the EDC operator by the deadline for the round, as to hisbiddings. When the bidding is done the EDC operator examines the bids,and assigns each asset to the highest bidder for that asset. If an assethas received two or more highest bids then the asset remains in thehands of its current owner. The winning bidder pays the expiring coinsto the owner of the assets, and in turn receives ownership of same assetA winner of an asset must keep the asset in the bidding, as long as therounds continue, but he or she may bid on the asset they own, and win itagain, if their bid is the highest. By the round that corresponds totime point Te, a random process of some sort determines the values of rfrom a preset of possible values, say, 0 to 6—allowing for no morerounds, or up to six rounds. When the rounds are done (at time pointTe+r), the bidding money “vaporizes”, expires. All the assets remain inthe hands of those who won them last. So the net result is that theplaying money disappears, but ownership of the n assets has beenshuffled around. Those who anticipated well what the others will do, andplayed with a good strategy won.

A sensitive question is how to determine the values of the asset eachplayer brings to the trade-game. This determination is done viaconsensus. The owner of an asset suggests X as the value of the asset.If all the other players agree, the owner puts this asset to play andreceives $X expiring dollars. If one or more of the others disagree thenthey propose a lower sum $Y. If the owner agrees to the counterproposal, then $Y is the value of his assets, and he receives $Yexpiring dollars. The owner and the others may propose and counterpropose until they agree on a sum $Z, and that is the amount of expiringdollars he receives, or until they decide that they can't reach aconsensus, and that owner does not join the trade-game. The reason foreach asset owner to receive expiring dollar in proportion to theestimated value of his asset is that he or she puts at risk their asset.

The EDC trade-game creates activity with the use of expiring money. Itshuffles assets among traders using dedicated, expired money.

Additional rules: 1. bidders cannot pool their money to outbid theothers. Each player can bid only his or her own money. 2. The expiredmoney is not tradable outside the trade-game itself, 3. All players knowhow much expiring money the other have, but they know not what eachbids.

The detailed description of the present invention is presented largelyin terms of procedures, steps, logic blocks, processing, or othersymbolic representations that directly or indirectly resemble theoperations of devices or systems that produce the effect. Thesedescriptions and representations are typically used by those skilled inthe art to most effectively convey the substance of their work to othersskilled in the art.

Reference herein to “one embodiment,” “various embodiments,” or “anembodiment” means that a particular feature, structure, orcharacteristic described in connection with the embodiment can beincluded in at least one embodiment of the invention. The appearances ofthe phrase “in one embodiment” in various places in the specificationare not necessarily all referring to the same embodiment, nor areseparate or alternative embodiments mutually exclusive of otherembodiments.

Further, the order of blocks in process flowcharts or diagrams or theuse of sequence numbers representing one or more embodiments of theinvention do not inherently indicate any particular order nor imply anylimitations in the invention. Referring now to the drawings, in whichlike numerals refer to like parts throughout the several views.

1. A method to mint digital money by constructing a coin fromconcatenated or otherwise linked bit strings:
 1. Coin identity string,2. Coin value string, V,
 3. Coin interpretation string, I,
 4. Coinattributes string, and
 5. Cryptographic parameters string, such that theidentity of the coin is expressed in the bit identity of the coin valuestring, which is built as a random string, or as a sufficientlyhigh-quality pseudo-random string, and where the value of the coin isexpressed in the coin interpretation string, I, via parameters whichrelate to the value string, V, and where the I parameters define asubstring of V which is the extract-value string that reflects theidentity of the coin while the other bits in V are random noise and haveno bearing on the value of the coin; and where the coin attributesstring specifies terms of payment expressing any logical condition thathas to be satisfied before the digital money (coin) is regarded as readyto be used as payment (redeemed).
 2. The method of claim 1 where theinterpretation string identifies the starting bit (s) and the ending bit(e) of the extract-value string, and also the $/bit or other commoncurrency per bit value, d, such that the value of the coin is given byd*(e−s+1).
 3. The method of claim 1 where the interpretation stringidentifies the starting bit (s), and the ending bit (e), of the extractvalue string, and also a $/bit or other common currency per bit value,d, and also a bit count m of bits: s, s+1, s+2, . . . S+m−1, such thatthe numeric value of the m-bits long string, M is a multiplier so thatthe value of the coin is given by: d*M*(e−s+1−m)
 4. The method of claim1 where the value string V contains more than one extract-valuesubstrings, and where the value of the coin is the sum total of thevalues of all the extract-value substring.
 5. The method of claim 1where a first user pays a second user in a time driven or an eventdriven mode, by having both the first user and the second user share twocoins with the same respective string components, only that the valueinterpretation substrings indicate at any moment the attributes of thevalue strings for the first user and the second user, as they are movingbits belonging to the value string from the first user to the seconduser effecting the continuous payment.
 6. (canceled)
 7. The method ofclaim 1 where the terms of payment specify a named entity, (individualor organization), identified by unique attributes, such that only thatnamed entity will be allowed to redeem the digital money (to be paid innominal currency for its face value), and such that all others will bedenied the option to redeem the digital coin,
 8. The method of claim 1where the terms of payment specify a group of entities (individuals ororganizations), identified by unique attributes, such that only membersof the specified group will be allowed to redeem the digital money (tobe paid in nominal currency for its face value), and such that allothers will be denied the option to redeem the digital coin.
 9. Themethod of claim 1 such that a member of the group specified as allowedto redeem the digital coin, (coin claimant) identifies itself by name,‘name’, to the coin redeeming authority (CRA), and the CRA returns arandom number, ‘random’ to the coin-claimant, which the claimant submitsalong with his name to an administrative authority of the group named inthe meta-data of the coin, and which said administrative authority signswith its private key producing a signed signature of ‘name’+‘random’,such that the coin claimant then submits the signed ‘name’ plus ‘random’to the CRA, which the CRA then decrypts with the public key of the groupadministrative authority in order to authenticate the coin claimant as abona fide member of the group specified in the cryptographic parametersstring of the digital coin, and so concluding the CRA redeems the coinin favor of the coin claimant.
 10. The method of claim 1 such that theterms of payment string specify a starting redemption date and anexpiration date, such that the digital coin cannot be redeemed beforethe starting redemption date, and cannot be redeemed after theexpiration date.
 11. The method of claim 1 such that mint entity thatmints and redeems digital money collaborates with traders to jointlyearn interest, or jointly gamble in the stock market, or other markets,by having the trader pay the mint the investment sum, and the mint,counters by issuing the trader a digital coin for the face value of hisinvestment, and the mint also, right away deposits the trader's money inan interest bearing account, or the mint is purchasing certain valuablesin a stock market or another appropriate market, and such that anyprofit or loss from the investment is shared between the mint and thetrader in pre-agreed proportion, and also such that all the time betweenminting the coin in favor of the trader, and the time of redemption ofsaid coin, the trader may use the digital coin, as if it were readymoney, pay an obligation with it, or purchase goods and services, suchthat the recipient of the coin, and anyone to whom the coin is paidsubsequently, also does not request the mint to redeem the coin.
 12. Themethod of claim 11 such that a group of traders agree to exchangedigital coins used for investment as in (6) only inside the group, tosatisfy mutual obligations, and exercise mutual transactions, all thewhile insuring that these investment digital coins are not submitted forredemption before the group decides so, and when redemption isexercised, then the profits or loss from said investment are sharedwithin the group as pre-agreed.
 13. A method by which a mint entity thatmints and redeems digital money collaborates with merchants, theircustomers, and credit-extending entities (CEE) to allow the CEE toextend credit to selected group of customers, so that these customerscan shop with any participating merchant, the method comprising theminting of unpaid digital coins marked in their terms-of-payment as‘paid on demand’ (POD), and the mint conveying said POD marked coins toa CEE, which in turn conveys said coins, per its risk assessment, tosome selected credit-purchasers (individuals or organizations) such thatthe credit purchasers may use said coins with any participating merchantof their choice, and said merchant submits the POD-marked coins to themint for redemption, and such that the mint, in turn, requests the CEEto pay the mint the nominal value of the digital coins submitted forredemption, and such that if the CEE pays the mint, the mint, in turn,pays the participating merchant, which, in turn, releases the goods orservices to the credit-purchasing customer, and thereby concludes thecredit based transaction, except that the CEE and the credit-purchasingcustomer still have to settle the credit-purchase between them.
 14. Amethod to pay for utility consumption on a real-time basis by splittingdigital coins at a rate that pays exactly for the utility measure beingconsumed; the digital coin being latched into a utility usage deviceequipped with a computing apparatus that matches the consumption ofvalue bits from the latched digital coin to the real time consumption ofthe utility; the utility flow is stopped when no more payment bits areavailable.
 15. The method of claim 14 whereby the split off (paid) valuebits erased, and the utility company is paid when the digital coin ispurchased.
 16. The method of claim 14 whereby the split off (paid) valuebits are accumulated in a receiving coin (bit container), and from wherethey are being returned to the original latched coin, in the event wherethe utility consumer generates a measure of the utility which is beingsold back to the utility company, as is common with electrical power.17. The method of claim 14 where the paying coin is in a form of atamper-resistant hardware, and where a validating cryptographic protocolis used to verify the paying coin as bona-fide.
 18. The method of claim14 where the paid bits are sent to the utility company which eventuallyredeems them with the mint.